[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [che-dev] Right place for dockerfile of CA cert generator job
|
How does this interact with the Che operator? Is it going to use the same
mechanism to install Che with TLS using the self-signed certs?
If yes, I'd definitely not put the dockerfile in the chectl codebase.
On Monday 10th Feb 2020 11:27:40 CET Mykola Morhun wrote:
> Hello.
> I am working on TLS by default in Che issue [1]
> We've decided to use Cert Manager for providing certificates for Che. But
> in case of self-signed certificate we should provide CA certificate to Cert
> Manager first. To not to bother users with TLS stuff, I generate CA
> certificate automatically using Kubernetes job. Obviously, the job has its
> own container with all the necessary tools in it. And at this point I have
> a question to which I am not sure I have the right answer.
> The question is: Where should we store dockerfile of this job container and
> when we should rebuild it.
> Also I should say, that this image will not be changed often.
>
> We have a few possible solutions:
>
> 1. Add the dockerfile into Che repository under dockerfiles folder and
> build it each time when Che builds. The image tag will be the same as Che
> version tag.
> 2. Add the dockerfile into `che-dockerfiles` organization [2] and build it
> manually, when needed. The image will have its own versioning.
> 3. Add the dockerfile in chectl repository, but build it manually on demand
> and have independent from Che versioning.
>
> Personally, I prefer the 3-rd item, let me briefly explain.
> As we use the job image only when installing Che with self-signed
> certificate, putting the dockerfile into Che would look weird for me as it
> will never be used in running Che. In case of che-dockerfiles we just
> decouple chectl components which (in my opinion) could only make issues
> while trying to find the source code of the component.
> About build of the image. Taking into account that the image will be
> changed hardly ever, it would be better to build it separately, on demand
> to reduce the workload of the CI. Build process it very straightforward: we
> have simple build script and a constant in chectl which points to the image
> to use.
>
> Maybe I miss some possible cases, so if someone has an idea where else we
> may store the dockerfile, I would be glad to hear another options.
>
> Opinions are welcomed!
>
> [1] - https://github.com/eclipse/che/issues/14742
> [2] - https://github.com/che-dockerfiles/